Skip to content

Latest commit

 

History

History
66 lines (47 loc) · 5.54 KB

AUTH.md

File metadata and controls

66 lines (47 loc) · 5.54 KB

#Authentication in Azure Management Libraries for Java

To use the APIs in the Azure Management Libraries for Java, as the first step you need to create an authenticated client. There are several possible approaches to authentication. This document illustrates a couple of the simpler ones.

Using an authentication file

⚠️ Note, file-based authentication is an experimental feature that may or may not be available in later releases. The file format it relies on is subject to change as well.

To create an authenticated Azure client:

Azure azure = Azure.authenticate(new File("my.azureauth")).withDefaultSubscription();

The authentication file, referenced as "my.azureauth" in the example above, uses the Java properties file format and must contain the following information:

subscription=########-####-####-####-############
client=########-####-####-####-############
key=XXXXXXXXXXXXXXXX
tenant=########-####-####-####-############
managementURI=https\://management.core.windows.net/
baseURL=https\://management.azure.com/
authURL=https\://login.windows.net/
graphURL=https\://graph.windows.net/

This approach enables unattended authentication for your application (i.e. no interactive user login, no token management needed). The client, key and tenant are from your service principal registration. The subscription represents the subscription ID you want to use as the default subscription. The remaining URIs and URLs represent the end points for the needed Azure services, and the example above assumes you are using the Azure worldwide cloud.

Using ApplicationTokenCredentials

Similarly to the file-based approach, this method requires a service principal registration, but instead of storing the credentials in a local file, the required inputs can be supplied directly via an instance of the ApplicationTokenCredentials class:

ApplicationTokenCredentials credentials = new ApplicationTokenCredentials(client, tenant, key, AzureEnvironment.AZURE);
Azure azure = Azure.authenticate(credentials).withSubscription(subscriptionId);

where client, tenant, key and subscriptionId are strings with the required pieces of information about your service principal and subscription. The last parameter, AzureEnvironment.AZURE represents the Azure worldwide public cloud. You can use a different value out of the currently supported alternatives in the AzureEnvironment enum.

Creating a Service Principal in Azure

In order for your application to log into your Azure subscription without requiring the user to log in manually, you can take advantage of credentials based on the Azure Active Directory service principal functionality. A service principal is analogous to a user account, but it is intended for applications to authenticate themselves without human intervention.

If you save such service principal-based credentials as a file, or store them in environment variables, this can simplify and speed up your coding process.

⚠️ Note: exercise caution when saving credentials in a file. Anyone that gains access to that file will have the same access privileges to Azure as your application. In general, file-based authentication is not recommended in production scenarios and should only be used as a quick shortcut to getting started in dev/test scenarios.

You can easily create a service principal and grant it access privileges for a given subscription through Azure CLI 2.0.

  1. Create a new blank text file with the format described in section Using an authentication file.
  2. Install Azure CLI by following the README.
  3. Login by running command az login.
  4. Select the subscription you want your service principal to have access to by running az account set <subscription name>. You can view your subscriptions by az account list --out jsonc. Copy the subscription id into subscription field in the file.
  5. Create a service principal by az ad sp create-for-rbac. Copy the client_id value into client field in the file, and client_secret value into key field.
  6. Assign a role to the service principal. You can find the command to execute in the "Assign a role" section from the output of the previous command. It should look like az role assignment create --assignee <client id> --role Contributor. The role can be "Owner", "Contributer", "Reader", etc. For more information about roles in Azure, please refer to https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-what-is/.
  7. Put your email domain into the tenant field, e.g., contoso.com.
  8. Assuming you are using the Azure worldwide public cloud, also add the following to your text file: (Note that this file follows the Java properties file format, so certain characters, such as colons, need to be escaped with a backslash)
    managementURI=https\://management.core.windows.net/
    baseURL=https\://management.azure.com/
    authURL=https\://login.windows.net/
    graphURL=https\://graph.windows.net/
    For other environments, please refer to AzureEnvironment.java for their corresponding values.

Now all the pieces are in place to enable authenticating your code without requiring an interactive login nor the need to manage access tokens.